I have one guy at my company telling me that I should put FF:TMG in between my main Internet-facing firewall (Cisco 5510) and put my Exchange server and DC on the internal network.

I have another guy telling me that I should put the Exchange server and DC in a DMZ

I don't particularly like the idea of having my mailboxes and DC's usernames/passwords in a DMZ and I think that Windows authentication would require me opening up so many ports between my DMZ and my internal network that it would be a moot point to have it out there anyways.

4 Answers
4

It depends on what Exchange version you're using. If you have Exchange 2007 or 2010, there is a role custom made for living in a DMZ: the Edge Server. Put that server in your DMZ and configure correct ports between that server and your private-network Exchange Hub-Transport servers. If you have Exchange 2000/2003, there is no good solution as far as InfoSec is concerned, you're pretty much stuck opening up SMTP (and TCP/443 if you use OWA) to a domained machine.

AD

Again, depends on your Exchange version. If you're at 2007/2010, the Edge server is designed to operate without any live connection to an actual domain-controller so there is absolutely no need to put a DC in the DMZ. If you're with 2000/2003 the server that's receiving Internet mail will have to be domain-connected somehow, which can be to a DC in DMZ (but with no DMZ/Internet firewall ports open) or to DCs on the private network by way of DMZ/Private firewall policy allowing the traffic.

Keep in mind that "DMZ" does not equate to "all ports open", you can open just the ports you need for both your DMZ/Internet and Private/DMZ firewalls. You can keep an Exchange 2000/2003 server in the DMZ and poke holes in your private/DMZ firewall to allow it to communicate to the DCs in the private network. Yes, it's a stepping stone to having your DC's hacked, but if that really concerns you upgrade to Exchange 2010 where Microsoft has engineered a much better solution to the problem.

At one point my team discussed placing a Forefront / ISA type box into the DMZ that all inbound traffic would land on prior to being bounced into the internal network. My goal was to publish Exchange 2003 via a DMZ and have all the traffic sanitized before it reached my internal network without the need to replace our PIX or otherwise make make major infrastructure changes.

This worked in my test environment with only opening 23 and 443 into the DMZ and only 23 and 443 into the internal network.